Bug#630232: New signatures for CAcert-Class 3-Subroot-certificate
Package: ca-certificates
Version: 20110421: all
Severity: important
Tags: security
CAcert has re-signed its Class 3-certificate with a new SHA256
signature. The formerly used MD5 signature is not seen as fully secure
any more by Mozilla (see: https://wiki.mozilla.org/CA:MD5and1024). Users
of Mozilla products like Firefox, and Thunderbird may experience errors
when these programs try to verify such certificates - others may follow.
Hence all users of CAcert's Class 3-certificates have to download and
install the newly signed certificates from CAcert's website.
The procedure in short:
1. Download the new Class 3 PKI Key from
http://www.cacert.org/index.php?id=3
2. SHA1-fingerprint must be:
AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
3. Make it of use in the ca-certificates package
I've added the tag that this bug is a security vulnerability. Well, not
exactly in the package itself, and the file itself also not. But if not
updated users experience errors and may find a security issue has
occured when it has not, or will experience a security vulnerability
because they have called a bad site with a hacked MD5 signature. So I
consider this as a security issue of priority low. Nevertheless I would
definitely want this bugfix to be included in all supported Debian
versions from stable (oldstable if supported) to experimental.
In case of further questions please don't hesitate to contact me.
Best regards,
Alexander Bahlo, CAcert.
Reply to: